cobaltstrike | b6f21bfdb9c0109adfbe37632b5a876d81a35846d06a5eb4f7a378aba23c4d15

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 05:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

95013f0acdde672571df9fd93301096d
SHA1

538c1bfdda2db60152237ba84f5600e133681529
SHA256

b6f21bfdb9c0109adfbe37632b5a876d81a35846d06a5eb4f7a378aba23c4d15
SHA512

8b11dffac0fc8585209f126e1ab47d0946026759dbce571a890d505f30a80bc9f31f09c5fbc75afa3d238e27f62609878a0d0a780995b5a34b90e26a665861be
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lo:RWWBibf56utgpPFotBER/mQ32lUk

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023414-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-22.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-27.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-40.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023415-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-51.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023422-80.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023423-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-117.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342a-129.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023424-107.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/4580-66-0x00007FF795410000-0x00007FF795761000-memory.dmp	xmrig
behavioral2/memory/1600-75-0x00007FF77C3D0000-0x00007FF77C721000-memory.dmp	xmrig
behavioral2/memory/2524-68-0x00007FF706670000-0x00007FF7069C1000-memory.dmp	xmrig
behavioral2/memory/1384-65-0x00007FF740DA0000-0x00007FF7410F1000-memory.dmp	xmrig
behavioral2/memory/4264-54-0x00007FF7BA950000-0x00007FF7BACA1000-memory.dmp	xmrig
behavioral2/memory/1240-81-0x00007FF6F2FA0000-0x00007FF6F32F1000-memory.dmp	xmrig
behavioral2/memory/4856-131-0x00007FF78A040000-0x00007FF78A391000-memory.dmp	xmrig
behavioral2/memory/1792-135-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp	xmrig
behavioral2/memory/4712-134-0x00007FF7BF040000-0x00007FF7BF391000-memory.dmp	xmrig
behavioral2/memory/2140-133-0x00007FF7739B0000-0x00007FF773D01000-memory.dmp	xmrig
behavioral2/memory/968-132-0x00007FF6D8490000-0x00007FF6D87E1000-memory.dmp	xmrig
behavioral2/memory/2484-128-0x00007FF67AB60000-0x00007FF67AEB1000-memory.dmp	xmrig
behavioral2/memory/5004-127-0x00007FF70DF60000-0x00007FF70E2B1000-memory.dmp	xmrig
behavioral2/memory/3664-94-0x00007FF757680000-0x00007FF7579D1000-memory.dmp	xmrig
behavioral2/memory/4264-136-0x00007FF7BA950000-0x00007FF7BACA1000-memory.dmp	xmrig
behavioral2/memory/1936-143-0x00007FF79ED30000-0x00007FF79F081000-memory.dmp	xmrig
behavioral2/memory/2760-144-0x00007FF6B37C0000-0x00007FF6B3B11000-memory.dmp	xmrig
behavioral2/memory/748-147-0x00007FF7E8B50000-0x00007FF7E8EA1000-memory.dmp	xmrig
behavioral2/memory/872-153-0x00007FF7CF8F0000-0x00007FF7CFC41000-memory.dmp	xmrig
behavioral2/memory/2972-152-0x00007FF6431D0000-0x00007FF643521000-memory.dmp	xmrig
behavioral2/memory/5000-156-0x00007FF6CF260000-0x00007FF6CF5B1000-memory.dmp	xmrig
behavioral2/memory/2772-155-0x00007FF6F51E0000-0x00007FF6F5531000-memory.dmp	xmrig
behavioral2/memory/3828-154-0x00007FF77A350000-0x00007FF77A6A1000-memory.dmp	xmrig
behavioral2/memory/4264-162-0x00007FF7BA950000-0x00007FF7BACA1000-memory.dmp	xmrig
behavioral2/memory/1384-214-0x00007FF740DA0000-0x00007FF7410F1000-memory.dmp	xmrig
behavioral2/memory/2524-216-0x00007FF706670000-0x00007FF7069C1000-memory.dmp	xmrig
behavioral2/memory/1600-218-0x00007FF77C3D0000-0x00007FF77C721000-memory.dmp	xmrig
behavioral2/memory/1240-220-0x00007FF6F2FA0000-0x00007FF6F32F1000-memory.dmp	xmrig
behavioral2/memory/3664-222-0x00007FF757680000-0x00007FF7579D1000-memory.dmp	xmrig
behavioral2/memory/5004-227-0x00007FF70DF60000-0x00007FF70E2B1000-memory.dmp	xmrig
behavioral2/memory/2484-228-0x00007FF67AB60000-0x00007FF67AEB1000-memory.dmp	xmrig
behavioral2/memory/1936-238-0x00007FF79ED30000-0x00007FF79F081000-memory.dmp	xmrig
behavioral2/memory/2760-240-0x00007FF6B37C0000-0x00007FF6B3B11000-memory.dmp	xmrig
behavioral2/memory/4580-242-0x00007FF795410000-0x00007FF795761000-memory.dmp	xmrig
behavioral2/memory/748-244-0x00007FF7E8B50000-0x00007FF7E8EA1000-memory.dmp	xmrig
behavioral2/memory/2972-246-0x00007FF6431D0000-0x00007FF643521000-memory.dmp	xmrig
behavioral2/memory/872-253-0x00007FF7CF8F0000-0x00007FF7CFC41000-memory.dmp	xmrig
behavioral2/memory/3828-255-0x00007FF77A350000-0x00007FF77A6A1000-memory.dmp	xmrig
behavioral2/memory/2772-257-0x00007FF6F51E0000-0x00007FF6F5531000-memory.dmp	xmrig
behavioral2/memory/968-262-0x00007FF6D8490000-0x00007FF6D87E1000-memory.dmp	xmrig
behavioral2/memory/1792-265-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp	xmrig
behavioral2/memory/4712-269-0x00007FF7BF040000-0x00007FF7BF391000-memory.dmp	xmrig
behavioral2/memory/2140-268-0x00007FF7739B0000-0x00007FF773D01000-memory.dmp	xmrig
behavioral2/memory/4856-264-0x00007FF78A040000-0x00007FF78A391000-memory.dmp	xmrig
behavioral2/memory/5000-260-0x00007FF6CF260000-0x00007FF6CF5B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1384	yeYTtgE.exe
2524	HkpvKvY.exe
1600	cdFiOOh.exe
1240	pMnysGY.exe
3664	FykvfaR.exe
5004	tQDaJeX.exe
2484	tBrHHod.exe
1936	FaKfveV.exe
2760	XuvAntu.exe
4580	fowFcmE.exe
748	rnlfOnD.exe
872	XZZvdNN.exe
2972	ldQIIxK.exe
3828	rElFHar.exe
2772	jRiHhVG.exe
5000	xOAJlmf.exe
4856	zuiYgZT.exe
1792	hoQqKiG.exe
968	BSHbGGE.exe
2140	rWBkwPR.exe
4712	NZmhGro.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4264-0-0x00007FF7BA950000-0x00007FF7BACA1000-memory.dmp	upx
behavioral2/files/0x0009000000023414-4.dat	upx
behavioral2/memory/1384-8-0x00007FF740DA0000-0x00007FF7410F1000-memory.dmp	upx
behavioral2/files/0x0007000000023418-11.dat	upx
behavioral2/files/0x0007000000023419-10.dat	upx
behavioral2/files/0x000700000002341a-22.dat	upx
behavioral2/files/0x000700000002341b-27.dat	upx
behavioral2/memory/3664-30-0x00007FF757680000-0x00007FF7579D1000-memory.dmp	upx
behavioral2/memory/1240-26-0x00007FF6F2FA0000-0x00007FF6F32F1000-memory.dmp	upx
behavioral2/memory/1600-18-0x00007FF77C3D0000-0x00007FF77C721000-memory.dmp	upx
behavioral2/memory/2524-12-0x00007FF706670000-0x00007FF7069C1000-memory.dmp	upx
behavioral2/memory/5004-39-0x00007FF70DF60000-0x00007FF70E2B1000-memory.dmp	upx
behavioral2/files/0x000700000002341c-41.dat	upx
behavioral2/memory/2484-44-0x00007FF67AB60000-0x00007FF67AEB1000-memory.dmp	upx
behavioral2/files/0x000700000002341d-40.dat	upx
behavioral2/files/0x0008000000023415-46.dat	upx
behavioral2/memory/1936-49-0x00007FF79ED30000-0x00007FF79F081000-memory.dmp	upx
behavioral2/files/0x000700000002341e-51.dat	upx
behavioral2/memory/2760-55-0x00007FF6B37C0000-0x00007FF6B3B11000-memory.dmp	upx
behavioral2/files/0x000700000002341f-61.dat	upx
behavioral2/memory/4580-66-0x00007FF795410000-0x00007FF795761000-memory.dmp	upx
behavioral2/files/0x0007000000023420-67.dat	upx
behavioral2/files/0x0007000000023421-73.dat	upx
behavioral2/memory/872-77-0x00007FF7CF8F0000-0x00007FF7CFC41000-memory.dmp	upx
behavioral2/memory/1600-75-0x00007FF77C3D0000-0x00007FF77C721000-memory.dmp	upx
behavioral2/memory/748-69-0x00007FF7E8B50000-0x00007FF7E8EA1000-memory.dmp	upx
behavioral2/memory/2524-68-0x00007FF706670000-0x00007FF7069C1000-memory.dmp	upx
behavioral2/memory/1384-65-0x00007FF740DA0000-0x00007FF7410F1000-memory.dmp	upx
behavioral2/memory/4264-54-0x00007FF7BA950000-0x00007FF7BACA1000-memory.dmp	upx
behavioral2/files/0x0007000000023422-80.dat	upx
behavioral2/files/0x0007000000023423-87.dat	upx
behavioral2/memory/2972-82-0x00007FF6431D0000-0x00007FF643521000-memory.dmp	upx
behavioral2/memory/1240-81-0x00007FF6F2FA0000-0x00007FF6F32F1000-memory.dmp	upx
behavioral2/memory/2772-104-0x00007FF6F51E0000-0x00007FF6F5531000-memory.dmp	upx
behavioral2/files/0x0007000000023428-110.dat	upx
behavioral2/files/0x0007000000023427-117.dat	upx
behavioral2/memory/4856-131-0x00007FF78A040000-0x00007FF78A391000-memory.dmp	upx
behavioral2/memory/1792-135-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp	upx
behavioral2/memory/4712-134-0x00007FF7BF040000-0x00007FF7BF391000-memory.dmp	upx
behavioral2/memory/2140-133-0x00007FF7739B0000-0x00007FF773D01000-memory.dmp	upx
behavioral2/memory/968-132-0x00007FF6D8490000-0x00007FF6D87E1000-memory.dmp	upx
behavioral2/files/0x000700000002342a-129.dat	upx
behavioral2/memory/2484-128-0x00007FF67AB60000-0x00007FF67AEB1000-memory.dmp	upx
behavioral2/memory/5004-127-0x00007FF70DF60000-0x00007FF70E2B1000-memory.dmp	upx
behavioral2/files/0x0007000000023429-125.dat	upx
behavioral2/files/0x0007000000023426-121.dat	upx
behavioral2/files/0x0007000000023425-116.dat	upx
behavioral2/memory/5000-114-0x00007FF6CF260000-0x00007FF6CF5B1000-memory.dmp	upx
behavioral2/files/0x0007000000023424-107.dat	upx
behavioral2/memory/3828-95-0x00007FF77A350000-0x00007FF77A6A1000-memory.dmp	upx
behavioral2/memory/3664-94-0x00007FF757680000-0x00007FF7579D1000-memory.dmp	upx
behavioral2/memory/4264-136-0x00007FF7BA950000-0x00007FF7BACA1000-memory.dmp	upx
behavioral2/memory/1936-143-0x00007FF79ED30000-0x00007FF79F081000-memory.dmp	upx
behavioral2/memory/2760-144-0x00007FF6B37C0000-0x00007FF6B3B11000-memory.dmp	upx
behavioral2/memory/748-147-0x00007FF7E8B50000-0x00007FF7E8EA1000-memory.dmp	upx
behavioral2/memory/872-153-0x00007FF7CF8F0000-0x00007FF7CFC41000-memory.dmp	upx
behavioral2/memory/2972-152-0x00007FF6431D0000-0x00007FF643521000-memory.dmp	upx
behavioral2/memory/5000-156-0x00007FF6CF260000-0x00007FF6CF5B1000-memory.dmp	upx
behavioral2/memory/2772-155-0x00007FF6F51E0000-0x00007FF6F5531000-memory.dmp	upx
behavioral2/memory/3828-154-0x00007FF77A350000-0x00007FF77A6A1000-memory.dmp	upx
behavioral2/memory/4264-162-0x00007FF7BA950000-0x00007FF7BACA1000-memory.dmp	upx
behavioral2/memory/1384-214-0x00007FF740DA0000-0x00007FF7410F1000-memory.dmp	upx
behavioral2/memory/2524-216-0x00007FF706670000-0x00007FF7069C1000-memory.dmp	upx
behavioral2/memory/1600-218-0x00007FF77C3D0000-0x00007FF77C721000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yeYTtgE.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xOAJlmf.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zuiYgZT.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FykvfaR.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tBrHHod.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rnlfOnD.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rWBkwPR.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NZmhGro.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BSHbGGE.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HkpvKvY.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cdFiOOh.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tQDaJeX.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FaKfveV.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XuvAntu.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XZZvdNN.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rElFHar.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pMnysGY.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fowFcmE.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ldQIIxK.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jRiHhVG.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hoQqKiG.exe	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 1384	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4264 wrote to memory of 1384	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4264 wrote to memory of 2524	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4264 wrote to memory of 2524	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4264 wrote to memory of 1600	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4264 wrote to memory of 1600	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4264 wrote to memory of 1240	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4264 wrote to memory of 1240	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4264 wrote to memory of 3664	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4264 wrote to memory of 3664	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4264 wrote to memory of 5004	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4264 wrote to memory of 5004	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4264 wrote to memory of 2484	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4264 wrote to memory of 2484	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4264 wrote to memory of 1936	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4264 wrote to memory of 1936	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4264 wrote to memory of 2760	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4264 wrote to memory of 2760	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4264 wrote to memory of 4580	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4264 wrote to memory of 4580	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4264 wrote to memory of 748	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4264 wrote to memory of 748	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4264 wrote to memory of 872	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4264 wrote to memory of 872	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4264 wrote to memory of 2972	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4264 wrote to memory of 2972	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4264 wrote to memory of 3828	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4264 wrote to memory of 3828	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4264 wrote to memory of 2772	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4264 wrote to memory of 2772	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4264 wrote to memory of 5000	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4264 wrote to memory of 5000	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4264 wrote to memory of 968	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4264 wrote to memory of 968	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4264 wrote to memory of 4856	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4264 wrote to memory of 4856	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4264 wrote to memory of 1792	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4264 wrote to memory of 1792	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4264 wrote to memory of 2140	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4264 wrote to memory of 2140	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4264 wrote to memory of 4712	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4264 wrote to memory of 4712	4264	2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-26_95013f0acdde672571df9fd93301096d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\System\yeYTtgE.exe
  C:\Windows\System\yeYTtgE.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\HkpvKvY.exe
  C:\Windows\System\HkpvKvY.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\cdFiOOh.exe
  C:\Windows\System\cdFiOOh.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\pMnysGY.exe
  C:\Windows\System\pMnysGY.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System\FykvfaR.exe
  C:\Windows\System\FykvfaR.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\tQDaJeX.exe
  C:\Windows\System\tQDaJeX.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\tBrHHod.exe
  C:\Windows\System\tBrHHod.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\FaKfveV.exe
  C:\Windows\System\FaKfveV.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\XuvAntu.exe
  C:\Windows\System\XuvAntu.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\fowFcmE.exe
  C:\Windows\System\fowFcmE.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\rnlfOnD.exe
  C:\Windows\System\rnlfOnD.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\XZZvdNN.exe
  C:\Windows\System\XZZvdNN.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\ldQIIxK.exe
  C:\Windows\System\ldQIIxK.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\rElFHar.exe
  C:\Windows\System\rElFHar.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System\jRiHhVG.exe
  C:\Windows\System\jRiHhVG.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\xOAJlmf.exe
  C:\Windows\System\xOAJlmf.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\BSHbGGE.exe
  C:\Windows\System\BSHbGGE.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\zuiYgZT.exe
  C:\Windows\System\zuiYgZT.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\hoQqKiG.exe
  C:\Windows\System\hoQqKiG.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\rWBkwPR.exe
  C:\Windows\System\rWBkwPR.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\NZmhGro.exe
  C:\Windows\System\NZmhGro.exe
  2⤵
  - Executes dropped EXE
  PID:4712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BSHbGGE.exe

Filesize
5.2MB

MD5
2764d1a0e95c6473f4ae25a2170b55e2

SHA1
69331877710c9070b8a5155a0f02d5caf9a2b162

SHA256
1752d69f57ed61c46b17de1de8ff741e9fc8d2e05566a8d1275b7feaa55a623f

SHA512
a1dadfca2bc77f1ce4756f21745367528bed68da27f498b77cda3be8cafe51fa9e13cd779ddf087f3dc2b37b0cb9a225b347342309c603df1deea99fcb8e0611

Download Submit
C:\Windows\System\FaKfveV.exe

Filesize
5.2MB

MD5
facd2511daede9a98ac6a555d4e366bd

SHA1
e8d944809cf01099b9a9e703c5ea9ee49c426989

SHA256
1560018e1ec11f56356202491c6eb3da4894f0f3b2e53356a02810e08024e901

SHA512
7ea4e1c54371ec5eb65d9bc461cf9bd1574e2657e465aca33ef47a9d4cba987b6a4dc334886b15e4c1d9fa7406e33f0dc77d0360b69fb98b30ee85928b05f114

Download Submit
C:\Windows\System\FykvfaR.exe

Filesize
5.2MB

MD5
9b3cf6fe31bcaee60bfe2bb00e3a7cfd

SHA1
7ef6d8bd37a710f51b36f80b9049d911a09a88fd

SHA256
7500eb3c299f34d5220fcb7dccbabb7cdb6458cbe7be229f5021bad3af9d7000

SHA512
16a4e2391384af8dc73f74bf729045983904382a157e44d0f2cc4acb28ae96587ab5c7574524355dd6ee0327e7fb457adf4ef5b50b0c2c830c250377b9d58a5a

Download Submit
C:\Windows\System\HkpvKvY.exe

Filesize
5.2MB

MD5
92c12f4dd55f6076ee7c9604a147eedc

SHA1
063a17d2df43f536e4672c684314ea0112a1ec31

SHA256
e502ea5093725453d17e7bfaaddb1bb6b59f9fefb8f7d7b944e9f5bf832fc7b3

SHA512
90d346bbc8c36e8842d4b54f6ab5212178423b4b12bc47f605fff524e1998ec47ce72222af2299cdc38908e4a939c02c428f23b2d7d2c4944a8206099c0630f8

Download Submit
C:\Windows\System\NZmhGro.exe

Filesize
5.2MB

MD5
70074bffbd6a56a2c403d5234d63f324

SHA1
2b290674f145724331f52242c1e271ce3e85de1a

SHA256
e10ddc83a059f070a944f3bed095bace5ede9d3fe3b35ca93128b8409e039a40

SHA512
2416d35b2d703c91c454f6330cd485eefd0583fe9d781c3a4b45c4905f3fdbf551b82c6537d4560de48b681ca184d2b8b0dae8bc949b181cfe3cadd03cce7cb8

Download Submit
C:\Windows\System\XZZvdNN.exe

Filesize
5.2MB

MD5
1d2bc6a351b436ce23e07946ca4098d8

SHA1
1eafa4d67af4193fc99fb8401f5c91ceb93fb16c

SHA256
e9fa3ad715ff13f562e07b758957135a09def1e8161ec43edf9983c3ee99acc4

SHA512
aea4952d0907e51b3f1a30c4ea99fe7dcbfff6d033511a02b81d1505b554ff999c71d160d271be98880669f01d416838a59c809736e2ada437e2b1ef22dc914f

Download Submit
C:\Windows\System\XuvAntu.exe

Filesize
5.2MB

MD5
20db8f6cf090b1feefe91da77c75d327

SHA1
d0cb1166abb404668e44e95c37425aecf89cca19

SHA256
ce32d259a2df0c01cf17e88a0e3e3f12731521a491dc23b3ff980e6ccaa045b7

SHA512
65d3fdb73b6d8995d9d1511aab28e7b672d51daca62ed057e392540dcae7f5040a6c0704797bbf04bd3a75decea8708939fc8e4d466a1d3fe3213a965cc6c7ab

Download Submit
C:\Windows\System\cdFiOOh.exe

Filesize
5.2MB

MD5
41b28c10bdbbac274edf009fdc54a7a3

SHA1
2448183ef19f5e4744ae1090545669320849b400

SHA256
cfd33825aab0456ab7dab505924930a46850164d2832b2f1c0bea6581a053ada

SHA512
dc87d0c3d2e700d31282109b85b21852b2f1d30d7e04d6312747ee67ca52fc2cb0d776bc93de08b0d597434a21fbd7f82da33d6e0f064ad278c44128b701fcd9

Download Submit
C:\Windows\System\fowFcmE.exe

Filesize
5.2MB

MD5
1bdc0613020d568077239ffbd240ecc7

SHA1
59a4267527eae3c5656d1a0fa14366eeff98afe3

SHA256
2f9aded5576912a41ae200481b79bc5bdb761ee4b358016b94ec35bb36a3d9bb

SHA512
dda2ada0029dd5c9f7487b478ce05c4b47ea2aff9d31c980d44e2f873c79465eafef817864840d1d6f302efa545a73beec22d9354b0382c155b41d2174d8deea

Download Submit
C:\Windows\System\hoQqKiG.exe

Filesize
5.2MB

MD5
4589d55dbf4028ce07bf1d58c26ec2f2

SHA1
6ad72f8affc04c42af4a919b6f9c927d174ca7f9

SHA256
1439caa6f6e736d0b87ef027e253cd8831b2c8e75e733bcb9ba9d154607cb89b

SHA512
fdb7dc287a5bf0507ae5e3161b422bf86973433cd9f571772079f923936f84eca627506416ae3f721b82404b6ed1887435fda9cbb9d42113dbff47b208a01e72

Download Submit
C:\Windows\System\jRiHhVG.exe

Filesize
5.2MB

MD5
27f0a83b97121bf0914206af2c60b758

SHA1
abb895f1c5bc0b1db8f9df5c2c6951faf94bea8d

SHA256
1b7c91d58b2b71ae15d6db295f161e6dc7fa3a74f92b648cc6e0d4a794979745

SHA512
c136b3256b06255aeed032d8b9b65b0390d7dd1e3f015ab40567ce1507c5a5c9290143dfb47d0dfc662689b0887eaef1d7b437d937e6c4d8cdc3b2de3378330a

Download Submit
C:\Windows\System\ldQIIxK.exe

Filesize
5.2MB

MD5
3d764324af83099599de6ab30cb39f45

SHA1
b221fe5b7270ca0fa4613aaa1b1de4537c1e220d

SHA256
ed77678b110ff68bbc299220175e2cdf9763217f46ea3850332820abf9848af6

SHA512
6d9ca6e1ee2b5eb28a5c361a3b1456946d15e993ae0c8bf00b100514ff0058bf01c95b14441b44d8009a2b6046014b205e9be62584b75496a8499b557aaa6da3

Download Submit
C:\Windows\System\pMnysGY.exe

Filesize
5.2MB

MD5
a8084ff351162083e32672e8c9a2c40d

SHA1
d79f55d24fc3ca542e416aab9a5c716d1d7b81b1

SHA256
a45c823ed9430c1d8ae23d19ba6e5974127239e827f171d44bb981555e2de8ca

SHA512
358c85dac4b68a66508d0aafc947a9414183bdebc7051069a73753166ae219ab03e25b49db53cfc73ac6103b0dffb7bbb45c976ee4591ba512f7ffc119f7bd87

Download Submit
C:\Windows\System\rElFHar.exe

Filesize
5.2MB

MD5
faeab1e5692ef0da5ff5478864e9a3f6

SHA1
e7a3029fff373b3265153903e9f8b0250a92985d

SHA256
275b7f898c3022d6ad6e0b03c1496cd217461ef2ff31beb6ffbb0b79f8996d66

SHA512
a6e9dacbf23d73fc561e83efa106b58304f70ac5165d13c6b32ea6c7ee49b2cc161350101da90a13a0df51bd2ccdf7aea6c26a4792d6d92e9cea804d21da44a5

Download Submit
C:\Windows\System\rWBkwPR.exe

Filesize
5.2MB

MD5
20060b405285cc69d1902e202afc58ca

SHA1
a86b6dc9b71debde872eb2c5aa3629ae0142430a

SHA256
563240c72a3cc627865633fda4e2cdaab5a4ab954c6eebe93d292cc09b876338

SHA512
0b20920b1b0b69b614094a9a077283497d5dd67729cc52a0a9ce531faaba920a4465aa8805437195b0238ac47b914be84c8cb4c13d5f832be78f289247f5b273

Download Submit
C:\Windows\System\rnlfOnD.exe

Filesize
5.2MB

MD5
ab238137d398b6a605795f9bed0236a8

SHA1
cabbe897a96e14437d94798c16bd1a443d56a158

SHA256
96065b49514e56ecd3268e84999b3e8e4bfcf24f57615bbecf2d74ffc9796fab

SHA512
42067a22e9a408b3eab8c541ad84e41d9022f9ca39094a3261aa7cdda1fed99a92bec3dd0e0cdc1ebb6c551093a95e705e8e5fb936e8af8699da60c55ce25705

Download Submit
C:\Windows\System\tBrHHod.exe

Filesize
5.2MB

MD5
1ddf1a212d04f8a7df61fe3e583773b7

SHA1
e2e6e9ea1a8a92f011a92b2822e675aa5ba213af

SHA256
037919c3cde9aad555609e696cd2bb29e72a719cbcb9b8454a3e59f8d50bd321

SHA512
15dc60a75c299b8bebb715e4ed13c8e432b8e306d53175a64cf00b861674134ca819c5c70639a1e1e1ca2bf978137c834a413769bae019e90817982d8ee02ae2

Download Submit
C:\Windows\System\tQDaJeX.exe

Filesize
5.2MB

MD5
771b74bc52a364c5c79c2bbe9952b93e

SHA1
d6decd0b6275b54f0a49351c3db509aac358477f

SHA256
1a289c4933a6ef0b47041d048be84fd62376460e152729a00f6d65eaa4f61ba1

SHA512
8666de3c05a7cce0c1c1724c67e54ccb3798b5149029043bd4fa95abb9f676fa83855c99e8f34f5d4afdc8fb313004b9c5dc07eb87ece5d02f01325347c0a348

Download Submit
C:\Windows\System\xOAJlmf.exe

Filesize
5.2MB

MD5
4762239c675ad305ed2e770960a212bf

SHA1
c1d04164504ae0c660a50aec0b78f5c205479c59

SHA256
cd7c591908e3cbf123993b21109461b2433464c70bbeb1e439d9a5ca90cefed0

SHA512
0a2514eee491f566500c8c426f324566f231fb43605d78bd8bb080fbe875ed3acaabb04568de2e23ee2e9a04f8fad7f75c1825b5dfa21da2a5d1d12426776118

Download Submit
C:\Windows\System\yeYTtgE.exe

Filesize
5.2MB

MD5
83f95de4d3d2ac1b21ef90c3aff711c7

SHA1
d85318023a5110e6b18e1c28a030fcad2aaa18be

SHA256
d41d2b81b5109bbf2964f237410a4beee49498a5fb87fb64efb1c513e0f9247c

SHA512
dca1caa66ea721629c51f1934ee3e7889010c1b45161f193635d564e5eb2684a970a02982fff89c296c949eb9e676cc8f419481e3d0dc551883d8703d3255ff0

Download Submit
C:\Windows\System\zuiYgZT.exe

Filesize
5.2MB

MD5
75f1940e01b82aa32aa0cf13dd3e9121

SHA1
171af4dde3f3dea227e4139c8db987c4c16e67d0

SHA256
365bde57a2d395178a496497375707fd964b15b6be39e3defa4818c0f30667dd

SHA512
cf21588b4211e442f29d0303de677edde568aacac80b3217e97c190bf37171de5799436766697b6783e94676298e96280c7f7e5b331b4a1ddb71a38e43dd1b61

Download Submit
memory/748-69-0x00007FF7E8B50000-0x00007FF7E8EA1000-memory.dmp

Filesize
3.3MB

Download
memory/748-244-0x00007FF7E8B50000-0x00007FF7E8EA1000-memory.dmp

Filesize
3.3MB

Download
memory/748-147-0x00007FF7E8B50000-0x00007FF7E8EA1000-memory.dmp

Filesize
3.3MB

Download
memory/872-77-0x00007FF7CF8F0000-0x00007FF7CFC41000-memory.dmp

Filesize
3.3MB

Download
memory/872-153-0x00007FF7CF8F0000-0x00007FF7CFC41000-memory.dmp

Filesize
3.3MB

Download
memory/872-253-0x00007FF7CF8F0000-0x00007FF7CFC41000-memory.dmp

Filesize
3.3MB

Download
memory/968-262-0x00007FF6D8490000-0x00007FF6D87E1000-memory.dmp

Filesize
3.3MB

Download
memory/968-132-0x00007FF6D8490000-0x00007FF6D87E1000-memory.dmp

Filesize
3.3MB

Download
memory/1240-26-0x00007FF6F2FA0000-0x00007FF6F32F1000-memory.dmp

Filesize
3.3MB

Download
memory/1240-220-0x00007FF6F2FA0000-0x00007FF6F32F1000-memory.dmp

Filesize
3.3MB

Download
memory/1240-81-0x00007FF6F2FA0000-0x00007FF6F32F1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-65-0x00007FF740DA0000-0x00007FF7410F1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-8-0x00007FF740DA0000-0x00007FF7410F1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-214-0x00007FF740DA0000-0x00007FF7410F1000-memory.dmp

Filesize
3.3MB

Download
memory/1600-75-0x00007FF77C3D0000-0x00007FF77C721000-memory.dmp

Filesize
3.3MB

Download
memory/1600-18-0x00007FF77C3D0000-0x00007FF77C721000-memory.dmp

Filesize
3.3MB

Download
memory/1600-218-0x00007FF77C3D0000-0x00007FF77C721000-memory.dmp

Filesize
3.3MB

Download
memory/1792-265-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp

Filesize
3.3MB

Download
memory/1792-135-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp

Filesize
3.3MB

Download
memory/1936-49-0x00007FF79ED30000-0x00007FF79F081000-memory.dmp

Filesize
3.3MB

Download
memory/1936-238-0x00007FF79ED30000-0x00007FF79F081000-memory.dmp

Filesize
3.3MB

Download
memory/1936-143-0x00007FF79ED30000-0x00007FF79F081000-memory.dmp

Filesize
3.3MB

Download
memory/2140-133-0x00007FF7739B0000-0x00007FF773D01000-memory.dmp

Filesize
3.3MB

Download
memory/2140-268-0x00007FF7739B0000-0x00007FF773D01000-memory.dmp

Filesize
3.3MB

Download
memory/2484-128-0x00007FF67AB60000-0x00007FF67AEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2484-44-0x00007FF67AB60000-0x00007FF67AEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2484-228-0x00007FF67AB60000-0x00007FF67AEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-12-0x00007FF706670000-0x00007FF7069C1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-216-0x00007FF706670000-0x00007FF7069C1000-memory.dmp

Filesize
3.3MB

Download
memory/2524-68-0x00007FF706670000-0x00007FF7069C1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-55-0x00007FF6B37C0000-0x00007FF6B3B11000-memory.dmp

Filesize
3.3MB

Download
memory/2760-144-0x00007FF6B37C0000-0x00007FF6B3B11000-memory.dmp

Filesize
3.3MB

Download
memory/2760-240-0x00007FF6B37C0000-0x00007FF6B3B11000-memory.dmp

Filesize
3.3MB

Download
memory/2772-155-0x00007FF6F51E0000-0x00007FF6F5531000-memory.dmp

Filesize
3.3MB

Download
memory/2772-257-0x00007FF6F51E0000-0x00007FF6F5531000-memory.dmp

Filesize
3.3MB

Download
memory/2772-104-0x00007FF6F51E0000-0x00007FF6F5531000-memory.dmp

Filesize
3.3MB

Download
memory/2972-246-0x00007FF6431D0000-0x00007FF643521000-memory.dmp

Filesize
3.3MB

Download
memory/2972-152-0x00007FF6431D0000-0x00007FF643521000-memory.dmp

Filesize
3.3MB

Download
memory/2972-82-0x00007FF6431D0000-0x00007FF643521000-memory.dmp

Filesize
3.3MB

Download
memory/3664-222-0x00007FF757680000-0x00007FF7579D1000-memory.dmp

Filesize
3.3MB

Download
memory/3664-30-0x00007FF757680000-0x00007FF7579D1000-memory.dmp

Filesize
3.3MB

Download
memory/3664-94-0x00007FF757680000-0x00007FF7579D1000-memory.dmp

Filesize
3.3MB

Download
memory/3828-95-0x00007FF77A350000-0x00007FF77A6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3828-154-0x00007FF77A350000-0x00007FF77A6A1000-memory.dmp

Filesize
3.3MB

Download
memory/3828-255-0x00007FF77A350000-0x00007FF77A6A1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-136-0x00007FF7BA950000-0x00007FF7BACA1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-1-0x00000228EA580000-0x00000228EA590000-memory.dmp

Filesize
64KB

Download
memory/4264-162-0x00007FF7BA950000-0x00007FF7BACA1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-54-0x00007FF7BA950000-0x00007FF7BACA1000-memory.dmp

Filesize
3.3MB

Download
memory/4264-0-0x00007FF7BA950000-0x00007FF7BACA1000-memory.dmp

Filesize
3.3MB

Download
memory/4580-66-0x00007FF795410000-0x00007FF795761000-memory.dmp

Filesize
3.3MB

Download
memory/4580-242-0x00007FF795410000-0x00007FF795761000-memory.dmp

Filesize
3.3MB

Download
memory/4712-134-0x00007FF7BF040000-0x00007FF7BF391000-memory.dmp

Filesize
3.3MB

Download
memory/4712-269-0x00007FF7BF040000-0x00007FF7BF391000-memory.dmp

Filesize
3.3MB

Download
memory/4856-131-0x00007FF78A040000-0x00007FF78A391000-memory.dmp

Filesize
3.3MB

Download
memory/4856-264-0x00007FF78A040000-0x00007FF78A391000-memory.dmp

Filesize
3.3MB

Download
memory/5000-156-0x00007FF6CF260000-0x00007FF6CF5B1000-memory.dmp

Filesize
3.3MB

Download
memory/5000-114-0x00007FF6CF260000-0x00007FF6CF5B1000-memory.dmp

Filesize
3.3MB

Download
memory/5000-260-0x00007FF6CF260000-0x00007FF6CF5B1000-memory.dmp

Filesize
3.3MB

Download
memory/5004-127-0x00007FF70DF60000-0x00007FF70E2B1000-memory.dmp

Filesize
3.3MB

Download
memory/5004-227-0x00007FF70DF60000-0x00007FF70E2B1000-memory.dmp

Filesize
3.3MB

Download
memory/5004-39-0x00007FF70DF60000-0x00007FF70E2B1000-memory.dmp

Filesize
3.3MB

Download